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(54) Alarm systems 



may request a display of all alarms 
present in a particular group. 



(57) An alarm system includes a 
computer 20 arranged to analyse 
various alarm conditions of appa- 
ratus (e.g. a nuclear power plant) to 
determine which alarms result from 
the prime causes of a number of 
alarms which may be present. The 
prime cause alarms are displayed 
on a visual display unit 32 and the 
presence of subsidiary alarms is in- 
dicated by group alarm lamp on a 
group alarm panel 34. The operator 
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synthetic alarms which are detected by logic 
analysis of the alarms which may be present 
in the group. 

Subsidiary information, such as references 
5 to sections of an instruction manual, may also 
be held in the store. 

When an alarm analysis for a particular 
group is either operator requested or is re- 
quired in response to automatic analysis as 
1 0 hereinafter stated the plant group data for the 
respective group is located from the backing 
store 30 and is transferred to the fast access 
store 40. 

A threading organiser programme now 
1 5 threads the data in the group through appro- 
priate standard sub-routines of the computer 
20. 

The principle subroutines provided are titled 
ANALYSISGROUP, FETCH, LINK, DISPLAY 

20 and GROUP. The functions of each of these 
subroutines is as follows: The subroutine 
ANALYSISGROUP: n calls the data for group 
n from the backing store 30 to the fast access 
store 40 of the computer 20. 

25 FETCH: alarm no. The FETCH subroutine ex- 
amines the respective data word (as defined 
by the data called from the backing store) 
relating to the alarm number to determine 
whether the monitored condition is an alarm. 

30 If the condition is normal (i.e. not an alarm) 
the programme proceeds to the next FETCH 
or if all alarms of this group have been 
examined to the next ANALYSISGROUP. 
If an alarm is present a LINK or DISPLAY 

35 subroutine, dependent on the position of the 
alarm in the alarm tree will be entered. 
LINK: alarm No. The LINK subroutine exam- 
ines the respective data word (as defined by 
the data called from the backing store) relat- 

40 ing to the alarm number to determine whether 
the alarm condition is present. If the higher 
order alarm condition is not present exit from 
the LINK subroutine is to either a further LINK 
or a DISPLAY subroutine. If the alarm condi- 

45 tion is present exit from the LINK subroutine 
will be a subsequent FETCH or to the next 
ANALYSISGROUP. 

GROUP: 'm': list 'p' synthetic alarm no. The 
GROUP subroutine is used to raise a synthetic 

50 alarm if a number 'm' of alarms of a sub- 
group of the main group is present. The alarm 
numbers of each member of the subgroup are 
held in a list 'p' which will have been trans- 
ferred from the backing store by the ANALY- 

55 SISGROUP subroutine. If 'm' or more of the 
alarms in list 'p' are present a DISPLAY 
subroutine is entered to display the synthetic 
alarm defined by the synthetic alarm number 
on the prime cause VDU 32. Exit from the 

60 GROUP subroutine is to a further GROUP 
subroutine or to a DISPLAY subroutine. 

FETCH and LINK subroutines may exit to a 
GROUP subroutine. 

The data for FETCH and LINK subroutines 

65 may include a system parameter to prevent 



the subroutine being entered when the check 
being made is not on the particular system. 

Preparation of the data for each group may 
be more readily understood by consideration 
70 of following examples. 

Referring to Figs. 4 and 5 when assembled 
as shown in Fig. 3 the alarm tree shown is for 
a gas circulator (GC) system of a nuclear 
power station having two reactors (R1 and 
75 R2). 

The lower left hand corner of Fig. 4 in- 
cludes an alarm statement GC motor coolant 
gas outlet temperature hi. The data for this 
alarm would show that GC304A1 is "GC A1 
80 Motor Coolant Gas outlet temperature high" 
and that the alarm may be subsidiary to the 
alarms GC302A1A, GC302A1B, GC302A1C 
and GC303A1 . 

The threading organiser programme inter- 
85 prets this data through the subroutines as:- 

FETCH: GC304A1 

LINK: GC302A1A 

90 

LINK: GC302A1B 

LINK: GC302A1C 

95 LINK: GC303A1 

DISPLAY: GCA1 MOTOR COOLANT GAS 
OUTLET TEMP HIGH. 

100 The threading of the data as shown occurs 
if none of the alarms GC302A1 A, 
GC302A1B, GC302A1C or GC303A1 is pre- 
sent and that GC304A1 is present. This be- 
ing the case GC304A1 is the highest order 

105 alarm present and is displayed as the prime 
cause. 

If one of the higher order alarms is present 
the threading of data through the LINK su- 
broutines ceases and the threading organiser 

110 proceeds to thread data relating to the next 
alarm. The higher order alarm will subse- 
quently be analysed in its own right and may 
then be displayed as the prime cause alarm. 
Thus if GC302A1 B is also in the alarm con- 

115 dition and assuming GC303A1 not to be so 
when the threading of data for GC302A1 B 
occurs a prime cause display of "GC A1 
MOTOR TEMP HIGH" will be displayed. 
Therefore the operator is led to the cause of 

1 20 the outlet temperature being high rather than 
the effect of the motor temperature being 
high. 

Considering a more complex piece of analy- 
sis for the gas circulator gas cooling water 
1 25 flow as shown in the top left of Fig. 5 the 
threading organiser will thread data for this 
alarm: 

FETCH: GC122A1A 
130 LINK(R1): RP1061 
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LINK(RI): RP1421 
GR0UP:2: LIST 1 : GC402 

5 

DISPLAY: GCA1A GAS COOLER CW FLOW 
LOW. 

List 1 will comprise GC122A1A 

10 

GC122A1B 
GC122A2A 

15 GC122A2B 

Thus if GC122A1A is in the alarm condi- 
tion, RP1061 of reactor 1 (LINK(R1)) (reactor 
cooling water system flow low) and RP1421 

20 of reactor 1 are checked. If neither of the high 
order alarms are present then associated gas 
cooler cooling water flow alarms CG122A1A, 
GC122A1B, CG122A2A, GC122A2B are 
checked and if any two or more of these four 

25 alarms are present (GR0UP:2) the synthetic 
alarm "GC402 GC cooler system cooling wa- 
ter flow low" is displayed on the prime cause 
VDU 32. 

It will be appreciated that separating the 
30 scanning and analysis of the alarms rather 
than attempting to analyse each alarm as it 
arises, prevents the computer being swamped 
by making major demands on the backing 
store and waiting for the appropriate data to 
35 be transferred. 

All alarms may be displayed to the operator 
but the principle faults are also made readily 
apparent. 

In the absence of a specific request from 

40 the operator for an analysis of a particular 
group the computer 20 may be arranged to 
call for an analysis of each group in turn at 
periodic intervals so that the operator is kept 
informed of the prime causes of all the alarm 

45 conditions present in the system. 

Since the computer is also capable of in- 
putting various conditions such as the open- 
ing or closing of manually operable valves the 
operator may by use of the keyboard 33 

50 request an analysis of a suitable plant state 
under fault conditions. 

The threading organiser may be used to 
thread respective data through the same su- 
broutines to analyse the current plant state 

55 and advise the operator on corrective proce- 
dures. 

Accidents at various power stations have 
brought out the importance of correct preven- 
tative action when alarms initially appear, and 

60 of the importance of the coincidence of two or 
three fault states which of themselves, individ- 
ually, result only in a correct operation of 
standby plant or in a reduction of plant integ- 
rity in a designed and individually acceptable 

65 manner. 



As a particular example consider the re- 
straints on operation in a nuclear plant which 
must be imposed in order to ensure continued 
availability of post-trip cooling, in the event of 

70 major hazards, for example, cable fires or 
coolant circuit breach. 

Typically, four diesel driven fire fighting 
pumps may be provided for a station and 
operation may continue safely with one pump 

75 not available, but an increasing hazard exists 
if a pump outage is prolonged. If two pumps 
are not available, then within a period (say 2 
hours) the station should be shutdown even if 
no fire exists, for reasons of prudence. 

80 A gas cooled reactor typically has 4 boiler 
circuits, each with a gas circulating blower 
driven by a main motor, and by an auxiliary 
pony motor used at shutdown. Post-trip, at 
least one boiler must be available - where 

85 availability is defined by an actual require- 
ment, such as follows:- 
1a) The pony motor supply is available. 
1 b) The pony motor control supply is avail- 
able. 

90 1c) The pony motor control equipment is 
available. 

1d) The pony motor protection has not oper- 
ated 

1e) Associated Gas circulator Bearing Temper- 
95 atures are not excessive, 
and 

1f) An associated circulator inlet guide vane 
operating Fast Motor is available. 

The unavailability of any of the above is 
1 00 indicated by the presence of an accompanying 
alarm. 

Non-alarm operating constraints include:- 
1g) An associated Pony Motor Mode Selector 
Switch is selected to the Auto Start position; 
105 1h) A 41 5v Gas Circulator Board bus section 
switch is available whenever a Pony Motor/ 
Boiler Unit within the same sub-set is not 
available; 

1j) one 3.3 kV/415V Gas Circulator Transfor- 
110 mer is available in each sub-set; 

1k) An associated Emergency Feed Header 
Discharge Valve is fully open; 
11) an associated Economiser Isolating Valve is 
fully open; 

115 1 m) an associated Start-up Feedwater Regula- 
tor Valve is fully open; 

1 n) control equipment providing close action 
of the associated Boiler Stop Valve is avail- 
able; 

120 1o) associated Steam Dump Valve control 
equipment is available; 

1 p) automatic mode of control is selected for 
use on the Steam Dump Valve Control Sys- 
tem. Selection of the manual mode of control 
1 25 is indicated by an alarm; 

1q) the Steam Dump Valve Control Equipment 
is not on test. Equipment on test is indicated 
by an alarm; and 

1r) Steam Dump Pressure Demand is within 
1 30 predetermined limits of the required value for 
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use post-trip. 

Operating restraints involved on boiler pairs 
5 can be expressed on the basis of two separate 
sets of boilers - say set one comprising 
Boilers A and B and set 2 comprising Boilers 
C and D. 

For safety purposes (as an example): 
-10 2a) not more than one boiler must be unavail- 
able within each set of a reactor at power for 
a period in excess of 1 hour unless orderly 
shutdown of the reactor is initiated; 
2b) The unavailability of one boiler in either 
1 5 set is undesirable and should not be allowed 
to persist for long periods because if a fire 
should affect one set the circulator motor 
post-trip run on protection could affect the 
other set. Operation on three gas circuits 
20 should be initiated if the situation has not 
been improved after 4 hours, to reduce the 
probability of an available boiler unit being 
lost as a result of failure to trip a main motor 
breaker; 

25 2c) The integrity of a boiler is attained by the 
use of redundant power supplies etc. Where 
one boilder unit of a set is unavailable and 
there is not a full complement of essential 
supplies available to the other unit or unavail- 

30 ability of changeover units, orderly shutdown 
of the reactor shall be initiated if the situation 
cannot be corrected within a period of 4 
hours; 

2d) The System integrity relies upon the avail- 
35 ability of a fully connected Emergency Feed 
Header. It is undesirable for the header valves 
(either manual or automatic) to be closed. If a 
boiler is unavailable (say in set 2) the auto- 
matic or manual valve associated with the 
40 header section feeding the set 1 boilers 

should not be closed for more than 1 2 hours; 
or 

2e) The unavailability of one boiler in one set 
coexisting with the unavailability in the other 

45 set of a Gas Circulator Transformer should not 
be allowed to persist for more than 8 hours. 

The above restraints can be represented by 
a combination of alarm grouping and of truth 
tables. These in turn can be expressed by 

50 means of alarm analysis data and interpreted 
in the manner already described. The coinci- 
dence of operation of alarms may be used to 
generate appropriate alarms, and display a 
phrase including a time limit. A time delay 

55 subroutine may be included so that an addi- 
tional alarm is displayed after the appropriate 
delay. 

In the case of the above example, "boiler 
not available" alarms (1A, 1B, 1C, 1D for 

50 each boiler) must be derived by a GROUP 
subroutine involving 1(a) to 1(r) above, initi- 
ated as described if any of 1(a) to 1(r) are in 
the unacceptable state. 

The backing store data to check the accep- 

55 tability of the plant in respect of operating 
restraints 2(a) and 2(b) may be used by the 
threading organiser thus: 



LIST R1R2: Boiler A; Boiler B; Boiler C: Boiler 
70 D - 

LIST R1: Boiler A; Boiler B. 
LIST R2: Boiler C: Boiler D. 
GROUP: 2: LIST R1: SHUTDOWN ALARM 
GROUP: 2: LIST R2: SHUTDOWN ALARM 
7R GROUP: 1: LIST R1R2: ISOLATE ALARM 
FETCH: SHUTDOWN ALARM 
DISPLAY: TWO BOILERS FAILED SHUT- 
DOWN WITHIN 1 HOUR 
FETCH: ISOLATE ALARM 
fio LINK: SHUTDOWN ALARM 

DISPLAY: BOILER FAILURE — ISOLATE 
WITHIN 4 HOURS 

Thus when alarm analysis is carried out in 
the automatic mode the threading organiser 
gc threads the data through the provided subrou- 
tines first using the GROUP subroutine to 
determine whether both boilers (GROUP: 2) of 
either set (LIST R1 /LIST R2) are unavailable. 
If this is the case the subroutine enters the 
gO shutdown alarm in the fast access store 40 
and the backing store 30. 

If any one of the four boilers is unavialable 
(GROUP: 1) an isolate alarm is generated. 
If the shutdown alarm is present the prime 
qr cause visual display unit 32 will display 
"TWO BOILERS FAILED — SHUTDOWN 
WITHIN 1 HOUR". 

In this case the isolate alarm is treated as a 
subsidiary alarm. If the isolate alarm is pre- 
1 00 sent without the shutdown alarm the prime 
cause visual display unit 32 will display "BO- 
ILER FAILURE — ISOLATE WITHIN 4 
HOURS". 

The example above illustrates the principle 
1 05 for analvsin 9 plant states. The remaining oper- 
ating restraints may be derived in a similar 
manner. 

CLAIMS 

^0 1 * An aJarm system comprising a com- 
puter, first display means for displaying prime 
cause alarm information, further display 
means for displaying subsidiary alarms which 
are dependent upon at least one associated 

115 a ^ arm displayed on the first display means, 
the status of each condition being monitored 
by the computer being presented at an input 
of the computer in digital form and being read 
by the computer at periodic intervals, the 

1 20 com P uter having at least one data word for 
each of the conditions being monitored and 
being arranged at each reading of a condition 
to compare the current status of said condi- 
tion with the previous status of the condition 

1 25 as indicated by its respective stored data to 
determine when a change of status of the 
condition occurs and if the change of status 
indicates that the condition is an alarm to 
determine to which one of n groups of alarms 

1 30 the alarm belongs, and to activate a respective 
one of n warning means of the further display 
means associated with the particular group of 
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alarms the computer also being arranged peri- 
odically to consider each alarm with respect 
to any other alarms to determine whether the 
alarm is a prime cause or is an alarm resulting 
5 from another cause and to display each said 
prime cause alarm on the first display means. 

2. An alarm system as claimed in Claim 1 
in which said first display means is a visual 
display unit. 

10 3. An alarm system as claimed in Claim 2 
in which the computer is arranged to cause 
each prime cause alarm to be displayed as a 
phrase or sentence on the visual display unit. 
4. An alarm system as claimed in Claim 3 

1 5 in which the computer is also arranged to 
cause the visual display unit to display a 
reference to further information which is avail- 
able for at least some of the displayed prime 
cause alarms. 

20 5. An alarm system as claimed in any 

preceding claim in which the computer is also 
arranged periodically to consider predeter- 
mined groupings of the conditions being 
monitored and, if more than a specified num- 

25 ber of one of said predetermined groupings 
are in an alarm state without a higher order 
alarm relating to a monitored condition being 
present, to cause the first display means to 
display a prime cause alarm determined from 

30 said grouping. 

6. An alarm system as claimed in any 
preceding claim in which the computer is also 
arranged periodically to consider the opera- 
tional capability of parts of the apparatus 

35 being monitored, to determine the acceptabil- 
ity of continued operation of the apparatus if 
some parts of the apparatus are not available 
for use and, if continued operation of the 
apparatus is unacceptable to cause said first 

40 display means to display an appropriate mes- 
sage. 

7. An alarm system as claimed in Claim 
6 in which the computer is also arranged to 
determine, in dependence on the parts of the 

45 apparatus which are not available for use and 
by consideration of the probability of further 
parts of the apparatus becoming unavailable, 
the probability of continued operation of the 
apparatus becoming unacceptable within a 

50 calculated period and to cause the first display 
means to display a warning message includ- 
ing said caculated period. 

8. An alarm system as claimed in any 
preceding claim including a keyboard for use 

55 by an operator to request the computer to 
display on the first display means the titles of 
all of the alarm conditions present in one of 
said groups of alarms. 

9. An alarm system as claimed in Claim 8 
60 in which the computer is also arranged to 

respond to a keyboard request for an analysis 
of one of said groups of alarms. 

1 0. An alarm system substantially as here- 
inbefore described with reference to the ac- 

65 company ing drawings. 
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